Department of Revenue: Cybersecurity Controls Assessment - Oregon

Department of Revenue

Cybersecurity Controls Assessment

January 2019 2019-03

Secretary of State Dennis Richardson Audits Division Director Kip Memmott

This page intentionally left blank

January 2019

Department of Revenue

Cybersecurity Controls Assessment

Report Highlights

This audit was conducted to assess critical security controls and the Department of Revenue's (DOR) information technology (IT) security management program. We concluded the agency should update its security management program to reflect recent statewide changes to IT security governance structures, as well as correct weaknesses in inventory management, vulnerability management, control of administrative accounts, configuration change management, and audit logging processes.

Background

DOR handles sensitive information, including taxpayer personal information and tax data. The agency, in collaboration with the Enterprise Security Office at the Office of the State Chief Information Officer (OSCIO), is responsible for implementing a security management program to ensure the confidentiality, availability, and integrity of the information with which it is entrusted.

Purpose

The purpose of this audit was to determine whether DOR has implemented an appropriate IT security management program and the basic cybersecurity controls necessary to ensure cyber defense readiness.

Key Findings

1. DOR has implemented a security management program, but associated plans and procedures have not been updated to reflect current staffing levels and reorganization of statewide security by the OSCIO.

2. DOR lacks specific policies and fully automated controls for many elements of the basic security controls identified by the Center for Internet Security. These basic controls should be implemented in every organization to reduce the risk that attackers could compromise systems and data.

Recommendations

We recommend DOR improve its security management program and remedy weaknesses we identified in the basic controls defined by the Center for Internet Security.

DOR agreed with all of our recommendations. The agency's response can be found at the end of the report.

Introduction

Cybersecurity is a growing concern for both the private and public sector. In order to protect against growing threats, information technology (IT) security management professionals need to apply robust controls at various levels of infrastructure to protect their networks, servers, and user workstations. State agencies utilize a variety of frameworks and standards with varying levels of detail to guide these efforts.

In the spring of 2018, the Audits Division developed a repeatable audit program to evaluate cybersecurity risks and provide a high-level view of an agency's current state. For criteria, we chose to use the Center for Internet Security's CIS ControlsTM, version 7, a prioritized list of 20 high-priority defensive actions that provide a starting point for enterprises to improve cyber defense.1 The controls are divided into three categories: basic, foundational, and organizational. This assessment covers the first six basic controls, which are defined as key controls that should be implemented in every organization for essential cyber defense readiness.

In the following pages, we present our assessment results as graphs depicting whether a particular control is not implemented, partially implemented, or fully implemented. This provides agency management, the Legislature, and those with responsibility for cybersecurity in the state with a snapshot of areas with higher risk that may need additional controls applied. It also provides the Audits Division with valuable information about an entity that we can use in our audit planning process so we can focus limited audit resources where the risks are highest.

The assessment does not consider an individual agency's risk appetite, so while these controls are considered basic by many security practitioners, agency management may choose not to fully implement a control to the highest level if they believe the cost of doing so outweighs the risk. In addition, we generally considered compensating controls that might mitigate risks, but we did not perform a detailed assessment of potential compensating controls for each subcontrol.

State agencies and the Office of the State Chief Information Officer share responsibility for cybersecurity in Oregon government

In September 2016, the Governor signed Executive Order 16-13, unifying IT security functions for the majority of state agencies in order to protect and secure information entrusted to the State of Oregon.2 The order directed executive state agencies to consolidate security functions and staffing into the Office of the State Chief Information Officer (OSCIO), which is part of the Department of Administrative Services. In addition, the order instructed agencies to work with the newly consolidated group to develop and implement security plans, rules, policies, and standards adopted by the State Chief Information Officer. The order was made permanent by the passage of Senate Bill 90 in June 2017, resulting in the permanent transfer of 30 security-related positions from state agencies to the OSCIO.3

The OSCIO maintains policy and performs statewide IT oversight functions. The Enterprise Security Office (ESO), a division of the OSCIO, brings together elements of enterprise security, including governance, policy, procedure, and operations under a single accountable organization. Agencies retain responsibility for many organization level security controls and

1 Center for Internet Security CIS Controls 2 Executive Order 16-13, "Unifying Cyber Security in Oregon" 3 Senate Bill 90, "Transfers information technology security functions of certain state agencies in executive branch to State Chief Information Officer."

Oregon Secretary of State | Report 2019-03 | January 2019 | Page 1

work collaboratively with the ESO to ensure the confidentiality, availability, and integrity of their sensitive business information. The Department of Revenue (DOR) serves millions of Oregonians each year by collecting taxes and fees that fund the majority of public agencies in the state. Total revenue collected by the agency for the 2017-19 biennium is projected at $20.7 billion. Ninety percent of this revenue is transferred to the General Fund. DOR's legislatively adopted budget for 2017-19 is $313 million and includes 933 full time equivalent staff.

Oregon Secretary of State | Report 2019-03 | January 2019 | Page 2

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download